When different teams work with different procedures in different software solutions to address the many internal policies and external regulations to which a company is subject, it leads to inconsistent master data, unnecessary costs, and a lack of management visibility. SAP Business Objects Process Control 3.0 comes with a global master data catalogue and a multiple compliance framework to provide an efficient solution. It allows for managing compliance with respect to multiple regulations in a unified manner in a single system using shared master data. Learn more about how it works and how to set it up in the system.
Key Concept
SAP BusinessObjects Process Control 3.0 runs on an SAP NetWeaver Application Server ABAP 7.01 SP3 or higher and requires an SAP NetWeaver Portal on the same release level as the user interface. The user interface consists of iViews, worksets, and portal roles. The standard reports and dashboards in SAP BusinessObjects Process Control use SAP BusinessObjects Crystal Reports and Xcelsius dashboard technology. The solution also comes with the capability of automated control testing in SAP and non-SAP systems, requiring the installation of Real-Time Agents (RTAs) or adapters from SAP’s software partner Greenlight, respectively. Due to this solution architecture the configuration of a new compliance initiative in SAP BusinessObjects Process Control requires nothing more than some customizing in the IMG and creation of portal content objects based on copies of the content already delivered with the software.
Companies face the challenge to stay compliant with a multitude of diverse regulations and internal policies. Each region has its own unique regulatory requirements, which are not limited solely to financial compliance. Global companies not only need to adhere to their own country’s regulatory mandates, but also to regulatory mandates of any country in which they do business. In most compliance environments, each initiative is managed separately, not only by different individuals, but also by different systems and procedures. This results in the following issues:
- Lack of management confidence due to non-standardized procedures and reporting
- Duplication of efforts due to redundant evaluations and tests
- Inconsistent master data maintained in multiple systems
- Higher IT costs with multiple systems to maintain and support
- Slow time-to-compliance as new systems need to be procured, data maintained, and users trained
- Manual documentation such as spreadsheets or other paper-based solutions
- Limited oversight across all compliance initiatives from a global perspective
A multiple compliance framework (MCF) solution can overcome these issues. Using a single solution that can handle several different compliance and policy mandates increases both efficiency and effectiveness. Using an MCF helps to eliminate the duplication of efforts and simplify the management of compliance initiatives by using common master data across the entire environment. A single solution reduces the amount of IT hardware needed and the cost of powering and maintaining servers. It also reduces the cost of training users on multiple systems and multiple processes.
SAP BusinessObjects Process Control 3.0 comes with an MCF that includes the following capabilities:
- Central master data catalog shared across compliance initiatives
- Shared surveys, manual test plans, and automated controls to reduce efforts when performing assessments, compliance testing, and continuous monitoring
- Results from evaluations can be referenced from multiple compliance initiatives instead of repeating them
- Common compliance processes and reporting within and across compliance initiatives
I will cover how the MCF in SAP BusinessObjects Process Control is used from a business user perspective and how a new regulation is set up in the system. As an example I will use a compliance initiative for the Japanese version of Sarbanes-Oxley (JSOX). For a high-level overview of SAP BusinessObjects Process Control, refer to my prior article on a risk-based internal control system.
Using the MCF
The SAP BusinessObjects Process Control portal user interface contains tabs for the Global Compliance Office (GCO) and for each compliance initiative or regulation set up in the system (Figure 1). SAP BusinessObjects Process Control comes with two pre-defined regulations: Sarbanes-Oxley and the US Food and Drug Administration (FDA). Access to the respective tabs is granted via assignment of the corresponding portal roles.

Figure 1
SAP BusinessObjects Process Control UI showing the GCO and multiple compliance initiatives as tabs in the second-level navigation
In the GCO, you set up the master data and evaluations such as surveys, manual test plans, and automated controls. You can select from both master data and evaluations in the context of a specific regulation. You maintain the following master data objects in the GCO: organizational structure, risk categories, risks, control objectives, account groups, general ledger accounts, processes, subprocesses, controls, indirect entity-level controls, regulation or policy groups, and regulations or policies.
In addition, you set up relations between them, such as control objective to risk, subprocess to control objective, subprocess to risk, control to risk, account group to risk, subprocess to account group, and regulation to organization. However, processes, subprocesses, and controls aren’t yet associated with organizations in the GCO, but in the context of a given regulation. In the Global Report Center of the GCO, you will find numerous standard reports that can run within or across the regulations set up in your system.
Figure 2 shows the SAP BusinessObjects Process Control UI of a user assigned a portal role, which contains no access to the GCO, but only to the workset for the JSOX regulation. The JSOX workset is comprised of the following work centers (e.g., portal pages) accessible through the detailed navigation on the left pane of the screen:
- Compliance Structure: Add subprocesses from the central process catalogue created in the GCO to your regulation. Then, assign them to your organizations you previously set in scope for your regulation. You can establish this assignment as a reference or as a local copy of the subprocess. In the latter case, you can change the subprocesses in the context of your local organization without affecting the subprocess in the central process catalogue. Subprocesses assigned as references can’t be changed locally, but allow for leveraging control evaluations from other compliance initiatives. This means you need to perform control evaluations only once and can reference their results for other compliance initiatives, saving time and money.
- Evaluation Setup: Maintain schedules for continuous control monitoring, and plan assessment surveys and compliance testing for subprocesses and controls you assigned to organizations in the context of JSOX. Also, you can track job progress for monitoring and automated testing.
- Evaluation Results: Process open issues and track their remediation resulting from continuous control monitoring, or compliance assessments and testing in the context of the JSOX regulation
- Certification: Plan a sign-off and aggregation-of-deficiencies procedure to trigger workflow tasks for organizations scoped in for the JSOX regulation. Monitor the progress of the sign-off process for your areas of responsibility to support the company’s compliance certifications.
- Report Center: Report on all aspects of your compliance initiative for JSOX. Different from the Global Report Center in the GCO, you can only run reports within your regulation, but not across multiple compliance initiatives.
- User Access: The JSOX Internal Control Manager assigns application roles to users for specific entities granting them access to specific tasks within the J-SOX regulation

Figure 2
User assigned to a portal role containing the My Home and Regulations – JSOX worksets only
Configuration of a New Regulation
Next I’ll focus on how a new regulation such as JSOX is set up in the system. Assume that SAP BusinessObjects Process Control installation and post-installation has already been completed. That includes the activation of the Business Configuration Sets (BC-Sets) containing pre-delivered customizing settings in the SAP BusinessObjects Process Control business client as explained in the SAP installation guide. The configuration comprises a number of steps to be executed in the SAP BusinessObjects Process Control application server (ABAP), in the SAP NetWeaver Portal providing the UI, and in the GCO of the SAP BusinessObjects Process Control application itself. These steps result from the underpinning SAP BusinessObjects Process Control security concept consisting of SAP standard roles, SAP BusinessObjects Process Control application roles, and portal roles. For more details on the security concept refer to the SAP BusinessObjects Process Control Security Guide available in SAP Service Marketplace.
Copy and Generate Application Roles
SAP delivers application roles for the GCO, Sarbanes-Oxley, and FDA regulations. Application roles are maintained in the profile generator transaction PFCG, but are exclusively assigned to users in the respective User Access work center where they establish a triangular relation between an entity, a role, and a user. For example, selecting a particular process first and assigning a user to the Sarbanes-Oxley tester role provides this user with all required authorizations to test controls tied to subprocesses under the selected process. Each application role is associated with one of the following entity levels: corporate, organization, process, subprocess, or control.
You are free to design application roles for the new regulation according to your requirements. In my example of the JSOX regulation, I will copy the SOX application roles. It is not required to change the authorizations in the copied roles, because the customizing settings explained later ensure that a holder of a JSOX role won’t have access to any entities within the SOX regulation and vice versa. The role description field in profile generator determines how the role will appear in the User Access work center for user assignments. Table 1 lists the JSOX application roles copied from the respective pre-delivered SOX roles. Don’t forget to generate the copied roles in the profile generator transaction.

Table 1
Application roles for JSOX regulation copied from respective Sarbanes-Oxley roles
Define the Subtype in IMG Customizing
MCF organization attributes are associated with infotype 5337. For each new compliance initiative you have to create a new subtype. Use transaction SPRO to open the IMG customizing in the SAP BusinessObjects Process Control application server and navigate to the node GRC Process Control > Multiple-Compliance Framework > Define Subtype for Organization Attributes. Use 5X00 (e.g., 5300) for the new subtype for the JSOX regulation (Figure 3).

Figure 3
New subtype 5300 created for JSOX regulation
Configure the New Compliance Initiative
The pre-delivered BC-Sets already contain two fully configured regulation types: Financial Compliance assigned to Sarbanes-Oxley and Operational Compliance assigned to FDA. Each regulation type is associated with specific features such as:
- Account groups and financial assertions
- Aggregation of deficiencies (AoD)
- Corrective action, preventive action (CAPA) remediation plans with or without eSignature for operational compliance initiatives such as FDA
- Planner tasks relevant for regulation type
- Sign-off process
- Custom fields
A regulation inherits the features associated to the regulation type to which it has been tied. In the IMG, navigate to GRC Process Control > Multiple-Compliance Framework > Configure Compliance Initiative to create and configure new regulation types or assign new regulations to existing regulation types. As the JSOX regulation in this example requires the same features as the Sarbanes-Oxley regulation, you can assign it to the regulation type Financial Compliance. This is done in two steps.
First define a regulation configuration for JSOX using the same subtype you have just created before and for the CR (Crystal Reports) Section ID in the last column, use a single letter that hasn’t been used in other regulation configurations so far (Figure 4). The regulation configuration ID in the first column is later used as an application parameter when creating portal content objects.

Figure 4
Define a regulation configuration for JSOX
Then assign the regulation configuration JSOX to the regulation type Financial Compliance (Figure 5).

Figure 5
Assign regulation JSOX to regulation type Financial Compliance
Maintain Regulation-Role Assignments
In the IMG navigate to GRC Process Control > Authorizations > Maintain Regulation Role Assignment and associate the JSOX application roles created above with an entity level and the regulation configuration for JSOX (Figure 6). Check the Unique User flag for roles assigned to single users only. The JSOX internal control manager role (Z_GRC_SPC_JSOX_ICMAN in Figure 6) is a potential candidate for this flag depending on your requirements.

Figure 6
Associate your JSOX application roles with their entity level and the regulation configuration for JSOX
Maintain Roles to Receive Workflow Tasks
In this customizing activity you configure the application role that determines the users that are recipients of the corresponding workflow activity for each business event in SAP BusinessObjects Process Control. These customizing entries determine the users receiving workflow tasks in their inboxes based on business events (e.g., perform assessment, perform control-risk assessment), entity, and subentity. For example, workflow tasks related to the business event Perform Assessment with entity Assessment (G_AS) and subentity control design assessment (CD) are sent to the holders of the application role JSOX Control Owner, whereas workflow tasks for the same business event and the same entity but subentity Process Design Assessment (PD) are sent to the holder of the application role JSOX Subprocess Owner.
As the JSOX application roles should receive the equivalent workflow tasks sent to the holders of the Sarbanes-Oxley application roles, you can simply copy the pre-delivered settings for the Sarbanes-Oxley application roles and replace the role names accordingly. This leads to the settings in Figure 7 to be added in IMG under the node GRC Process Control > Authorizations > Maintain Roles to Receive Tasks in Workflow. Table 2 provides a description for each abbreviation used in Figure 7.

Figure 7
The holders of the roles receive workflow tasks for the specified business events, entities, and subentities

Table 2
Abbreviations used in Figure 7
Create Portal Content Objects
The SAP BusinessObjects Process Control software includes the following objects for the pre-delivered regulations Sarbanes-Oxley and FDA in the folder Content Provided by SAP > GRC Process Control:
- iViews in the subfolder iViews > WORK CENTER > SOX and FDA
- Worksets Regulation – SOX and Regulation – FDA in the subfolder Worksets > WORK CENTER
- Portal roles GRC Process Control – SOX and GRC Process Control – FDA in the subfolder Roles
In addition, there is a role GRC Process Control – All that contains all worksets including the ones belonging to SOX and FDA. Each workset in this role adds a tab for each regulation to the second-level navigation of the portal as shown in Figure 1.
You need to create the corresponding portal content objects for the new regulation JSOX and extend the GRC Process Control – All role to accommodate the new JSOX workset as an additional tab. Because the JSOX workset and role require the same iViews as the SOX regulation, you can create all portal content objects starting with a copy of the respective SOX object.
Let’s start with a copy of the subfolder iViews > WORK CENTER > SOX. Log on to the SAP NetWeaver Portal as the content administrator. Select the subfolder, right-click to open the context menu, and select Copy (Figure 8).

Figure 8
Create a copy of the subfolder iViews > WORK CENTER > SOX
Then select the WORK CENTER folder, right-click and choose Paste to create a second subfolder SOX. Right-click the new subfolder and select Change ID. As New Object Name, enter JSOX and as New Object ID enter 0WORKSET_REG_JSOX. Don’t change the object ID prefix (Figure 9).

Figure 9
Change the Object Name and Object ID of the copied subfolder SOX
Now, expand the renamed subfolder JSOX and open the first iView to change the application parameter REGULATION to point to the regulation configuration JSOX you defined previously in the IMG settings (Figure 10). Continue likewise with the remaining iViews in the subfolder JSOX.

Figure 10
Change application parameter REGULATION to JSOX for each iView contained in subfolder JSOX
Now you need to create the workset Regulation – JSOX in a similar fashion. Create a copy of the workset Regulation – SOX and change its ID to Regulation – JSOX. Then open it and right-click the first iView listed (Figure 11). Select Edit to change the application parameter REGULATION to point to the regulation configuration JSOX (Figure 12).

Figure 11
Open the workset Regulation – JSOX to change the application parameter REGULATION in each iView contained

Figure 12
Change application parameter Regulation to JSOX
Continue creating a role GRC Process Control – JSOX by copying the analogous SOX role, changing its ID, and replacing the Regulation – SOX workset contained in the role by the Regulation – JSOX workset you have just created.
Finally, open the role GRC Process Control – All, right-click the workset Regulation – JSOX, and choose Add Workset to Role > Delta Link to add the new workset JSOX to the role (Figure 13).

Figure 13
Add the new workset JSOX to the Role GRC Process Control – All
Create a New Regulation in the GCO
Log on with a user holding the Global Regulation Admin role and navigate in the portal user interface to GRC Process Control > Global Compliance Office > Global Compliance Structure > Regulations and Policies (Figure 14). Select the Regulation/Policy Group Financial Compliance and click Create > Regulation Policy to create the JSOX regulation in the application itself. Enter the name and description, and assign the regulation configuration JSOX.

Figure 14
reate the JSOX regulation in the GCO and assign the regulation configuration JSOX
Continue clicking the Organizations tab and add the organizations that are subject to the JSOX regulation (Figure 15).

Figure 15
Assign your organizations that are subject to JSOX
Finally, assign a user to the application role JSOX Internal Control Manager. The user granted with this role will then assign the remaining application roles to business users within the JSOX initiative. Navigate to Regulation – JSOX > User Access and select Corporate and Organization Roles. In the Select Organization Screen of the guided procedure click Next and assign a user to the JSOX Internal Control Manager application role on corporate level (Figure 16).

Figure 16
Assign the JSOX Internal Control Manager application role
Frank Rambo, PhD
Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.
You may contact the author at frank.rambo@sap.com.
If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.